We have been working on exclusions for our Access Protection policies that will allow us to update various applications (Java, Adobe, Chrome, etc.) on the user desktops. We are able to exclude the name of the installer itself (i.e. AdobeAir.exe) but these installers ofter create randomly named installers that need to run in sensitive areas of the OS and are blocked by Access Protection.
What is the best way to exclude these application udpates? Can exclusions be done on a username basis? Can we scheule times of the day or week when Access Protection on all machines will be disabled so we can perform automated updates?
I think you refer that the AP is blocking to run files from Temp folder. I have seen this behaviour in the past and the way is to create the new name of the file which is trying to run from temp folder. I think this is a bit pain but since this rule is not enable by default and it is something that you has enable (extra protection) exclusions must be done to balance between security and functionality.
Exclusions on a username basis are not possible.
I would not disable AP, as doing that a security hole is being opened. Try to create exclusions that you really think must be created.
Please let me know if you need more help.